电脑计算机论坛

 找回密码
 注册

QQ登录

只需一步,快速开始

查看: 3461|回复: 0

交换机使用PEAP及EAP-TLS协议进行802.1x认证

[复制链接]
admin 发表于 2010-9-25 17:06:42 | 显示全部楼层 |阅读模式
设备情况:
  * Cisco Catalyst 2950T-24交换机,Version 12.1(22)EA1b
  * 一台Windows 2000 Server SP1服务器做为AD Server及CA Server
  * 一台Windows 2000 Server SP4服务器做为ACS Server
  * 一台Windows XP SP2工作站做为终端接入设备
  * Cisco Secure ACS for Windows version 3.2.3
  
  严重说明:因为MS CA证书服务的一个缺陷,在某些客户机上使用WEB页面进行证书申请时会出现“Downloading ActiveX Control”提示信息后不能继续下一步的错误,请参阅MS QB323172下载相关补丁进行处理,并请参阅文末的tips:
  http://support.microsoft.com/default.aspx?...kb;en-us;330389
  http://support.microsoft.com/default.aspx?...kb;en-us;323172
  
  拓扑图见下:
  
  传统802.1x认证采用MD5-Challenge认证,用户在接入网络时需输入用户名和口令,安全性也相对薄弱。PEAP和EAP-TLS都是利用了TLS/SSL隧道,PEAP只使用了服务器端的认证,只是服务器端拥有证书并向用户提供证明,而EAP-TLS使用了双向认证,ACS服务器和客户端均拥有证书并进行相互间的身份证明。
  
  一、配置Secure ACS
  1、在ACS服务器上申请证书
  在AD Server上做好AD安装及证书服务设置后,在ACS服务器浏览器上键入http://192.168.168.196/certsrv进入证书WEB申请页面,登录用户采用域管理用户账号。
  选择“Request a certificate→Advanced request→Submit a certificate request to this CA using a form”,接下来Certificate Template处选择“Web Server”,Name:处填入“TestACS”,Key Options:下的Key Size:填入“1024”,同时勾选“Mark keys as exportable”及“Use local machine store”两个选项,然后submit。出现安全警告时均选择“Yes”,进行到最后会有Certificate Installed的提示信息;
  
  2、进行ACS的证书配置
  进入ACS配置界面后选择“System Configuration→ACS Certificate Setup→Install ACS Certificate→Use certificate from storage→Certificate CN”,填入上一步的CA CN名“TestACS”,然后submit;
  
  3、配置ACS所信任的CA
  再选择“System Configuration→ACS Certificate Setup→Edit Certificate Trust List”,选择AD Server上的根证书做为信任证书;
  
  4、重启ACS服务并进行PEAP设置
  选择“System Configuration→Service Control→Restart”重启服务;
  选择“System Configuration→Global Authentication Setup”,勾选“Allow EAP-MSCHAPv2”及“Allow EAP-GTC”选项,同时勾选“Allow MS-CHAP Version 1 Authentication”及“Allow MS-CHAP Version 2 Authentication”选项;
  
  5、配置AAA Client
  选择“Network Configuration→Add Entry”,在“AAA Client”处输入交换机的主机名,“AAA Client IP Address”处输入C2950T的管理IP地址,在“Key”处输入RADIUS认证密钥,“Authenticate Using”处选择“RADIUS(IETF)”;
  
  6、配置外部用户数据库
  选择“External User Databases→Database Configuration→Windows Database→Create New Configuration→Configure”,在Configure Domain List处将ACS Server所在的域名移动到“Domain List”中。这里要注意的一点是ACS Server所在机器这时应已加入到域中,同时“Dialin Permission”中的默认勾选项应去掉,如不去掉的话,域管理用户和终端用户均需设置Dial-in访问权限。
  同时在“Windows EAP Settings”的“Machine Authentication”下勾选“Enable PEAP machine authentication”选项,“EAP-TLS and PEAP machine authentication name prefix.”处使用默认的“host/”不用改动。
  再选择“External User Databases→Unknown User Policy→Check the following external user databases”,将“Windows Database from External Databases”移动到右边的Selected Databases窗口中。
  做完修改后再在Service Control中重启服务;
  
  二、配置AAA客户端及802.1x
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  !---和802.1x相关的AAA设置
  
  dot1x system-auth-control
  !---打开802.1x功能
  
  interface FastEthernet0/2
  switchport mode access
  dot1x port-control auto
  spanning-tree portfast
  !---在F0/2口上打开802.1x端口控制功能
  
  radius-server host 192.168.168.155 key xxxxxx
  !---定义RARIUS Server
  
  三、配置终端接入设备
  1、在AD Server上配置MS Certificate Machine Autoenrollment
  在AD Server的管理工具中打开“Active Directory Users and Computers”,在域名上点右键选择Properties,然后选择“Group Policy→Default Domain Policy→Edit”,然后选择“Computer Configuration→Windows Settings→Security Settings→Public Key Policies→Automatic Certificate Request Settings”,在菜单项中选择“Action→New→Automatic Certificate Request→Computer”,选中CA服务器后按下一步结束配置;
  
  2、将终端设备加入域
  这个过程大家都会,不多说了;
  
  3、在终端设备上手动安装根证书
  如已配置“Certificate Machine Autoenrollment”,此步骤可忽略。
  登录域后在浏览器上键入http://192.168.168.196/certsrv进入证书WEB申请页面,登录用户采用域管理用户账号。
  选择“Retrieve the CA certificate or certificate revocation list→Download CA certificate→Install Certificate→Automatically select the certificate store based on the type of the certificate”,按下一步结束证书安装;
  
  4、进行终端设备上的802.1x认证设置
  在以太网卡的连接属性中选择“Authentication→Enable IEEE 802.1x authentication for this network”,EAP type选为“Protected EAP(PEAP)”,勾选“Authenticate as computer when computer information is available”,然后再点Properties,在EAP属性窗口中选择“Validate server certificate”,同时在“Trusted Root Certificastion Authorities:”窗口中选择对应的ROOT CA,这里为acs-ca,Authentication Method选成“Secure password (EAP-MSCHAP v2)”。再点Configure按钮确保“Automatically use my Windows logon name and password (and domain if any)”选项已被选中;
  
  四、结果查看
  所有配置完成后查看认证结果:
  
  Switch#sh dot1x int f0/2
  Supplicant MAC <Not Applicable>
  AuthSM State = CONNECTING
  BendSM State = IDLE
  PortStatus = UNAUTHORIZED
  MaxReq = 2
  HostMode = Single
  Port Control = Auto
  QuietPeriod = 60 Seconds
  Re-authentication = Disabled
  ReAuthPeriod = 3600 Seconds
  ServerTimeout = 30 Seconds
  SuppTimeout = 30 Seconds
  TxPeriod = 30 Seconds
  Guest-Vlan = 0
  
  Switch#sh dot1x int f0/2
  Supplicant MAC 000b.6a2a.03cb
  AuthSM State = AUTHENTICATING
  BendSM State = RESPONSE
  PortStatus = UNAUTHORIZED
  MaxReq = 2
  HostMode = Single
  Port Control = Auto
  QuietPeriod = 60 Seconds
  Re-authentication = Disabled
  ReAuthPeriod = 3600 Seconds
  ServerTimeout = 30 Seconds
  SuppTimeout = 30 Seconds
  TxPeriod = 30 Seconds
  Guest-Vlan = 0
  
  Switch#sh dot1x int f0/2
  Supplicant MAC 000b.6a2a.03cb
  AuthSM State = AUTHENTICATED
  BendSM State = IDLE
  PortStatus = AUTHORIZED
  MaxReq = 2
  HostMode = Single
  Port Control = Auto
  QuietPeriod = 60 Seconds
  Re-authentication = Disabled
  ReAuthPeriod = 3600 Seconds
  ServerTimeout = 30 Seconds
  SuppTimeout = 30 Seconds
  TxPeriod = 30 Seconds
  Guest-Vlan = 0
  !---认证通过
  
  查看终端设备网络连接提示,此时已为“Authentication succeeded.”
  
  五、TIPS
  * 注意Windows客户端在安装根证书时应保持和网络的正常连接,如此时在端口上设置了802.1x,则网络是断开的;
  * AD Server上的证书服务应在IIS服务安装之后再装,否则certificate web enrollment不能成功;
  * MS QB323172 hotfix应在证书服务安装之后再进行,如已安装了此hotfix后才安装证书服务,则需在安装证书服务后再安装一遍此hotfix;
  * MS QB323172 hotfix是针对Windows SP3以前的补丁,如已安装了SP4则此hotfix不能安装。但我装了SP4后“Downloading ActiveX Control”出错信息仍然存在,只好用SP1的版本安装后再装此hotfix问题方消除,不知何故;
  * 如是在实际环境中使用,应确保AAA client到AAA server的UDP 1812/1813端口没被无意中被block;
  * ACS版本应尽量新,因为那个众所周知的Java出错问题,安装ACS机器的OS最好是E文版的OS;
您需要登录后才可以回帖 登录 | 注册

本版积分规则


QQ|手机版|小黑屋|电脑计算机论坛 ( 京ICP备2022023538号-1 )

GMT+8, 2024-11-23 19:38 , Processed in 0.102798 second(s), 20 queries .

Powered by Discuz! X3.5

© 2001-2024 Discuz! Team.

快速回复 返回顶部 返回列表